1

I have exposed some rest api using Jersey 2(Tomcat server) and successfully implemented Basic authentication(only needed authentication stuff not authorization) using ContainerRequestFilter filter as below

public class AuthFilter implements ContainerRequestFilter{

    @Context
    HttpServletRequest request;

    @Override
    public void filter(ContainerRequestContext context)  {
     ............................
     //getting username/password authorization header and validating

When I told the same to my Lead, he said don't use filters as every time your rest api is hit, this filter will get invoked.Therefore, implement basic authentication security at container level.I am using Tomcat server. In web.xml, this is defined

<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>

Is the above he is referring to? Can anyone please guide me how to implement the way my lead is saying?

Improve this question
1

1 Answer 1

Reset to default
2

The documentation gives you examples on how to configure this via web.xml. You'll need to configure this using a login-config that belongs to a realm. The web container then takes care of securing resources based on URL patterns.

  • Note that the data is sent in plain text (in encoded form) via a HTTP header, so you'll need to think of ways to ensure that is not snooped on (like HTTPS).
  • Whether you check this header on a filter or on the container does not relieve you of the overhead required for making the check (which is probably negligible, but I've never profiled this area of the code to quote numbers).
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

What is realm here? Also, to clarify I only need to do authentication part not authorization.
A realm can be a file based or database based authentication store. tomcat-users.xml is an XML based file realm.
How to use database based authentication? In conf/server.xml, do i need to create realm? Also, what realm name should be given in web.xml?
Take a look at DataSourceRealm. You can choose any realm name.
I successfully implemented it..on hitting a rest api, dialog box pops up that asks for credentials..but i don't want it rather i want to send authorization header using some rest tool like postman, advanced rest client etc...Can u please tell me how to do that?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.